Dear games industry. Grow up
Saturday, January 7th, 20122011 was the year of the games industry, as a whole, getting hacked.
Dear games industry; huge international publishers and development studios: are you seriously going to tell me you didn’t see this coming?
For the last several years, the games industry has been been infested by a plague of account systems. EVERY company wanted their customers to sign up for THEIR unique account, marketplace, community and download central, preferably with separate accounts for each. And then another account for support requests, of course. And the more of these accounts can be associated with credit card information, the better. And of course, in true games industry fashion, as much as possible should be developed in-house.
Every games company wants me to create a unique account just for them. Every games company wants my password. And apparently, nearly as many let their security be handled by Joe the Intern who does their website on weekends.
It’s absurd. And not just because you are getting hacked en masse, and your users have their sensitive information leaked to hackers courtesy of you and your incompetence and your stubborn insistence on acquiring sensitive information that you have no need of, no business storing, and are not qualified to handle and safeguard.
It is also absurd because, even when you are not being hacked, it is infuriating your users. I don’t want to have to invest in your imaginary currency (which can only be bought in bulk, in quantities conveniently designed to force you to spend more money up front than the price of the item you wanted to buy), in order to purchase DLC for my games. I don’t want to have to remember 47 different account usernames and passwords. I don’t want to have to remember which email address I signed up with two years ago on the company you bought 6 months ago and whose account database you have now integrated into yours.
I don’t want to have to guess whether I am supposed to log in with my Bioware account or my EA account when unlocking stuff for my Bioware game (published by EA). I don’t want to have to log in to both Steam and GfWL to play a game. I don’t want to have to log in to Rockstar Games Social Club. Sega, was it worth it to make me sign up for a Sega Pass? Did you get enough value out of yet another username in your database to justify my password now being in the hands of hackers?
All of you, do you really need me to sign up for anything at all? Or is this just your vanity and your 20-year-old habit of prompting users to “please fill in your registration card while you wait for the installer”, updated to the internet era for no reason whatsoever?
The rest of the world has, by and large, learned a couple of important lessons over the last years:
- online security is hard, and
- users have plenty of accounts everywhere already, and they don’t want to have to sign up for your exclusive site any more than they want to sign up for the 400 other sites they visited recently.
Thus, quite a lot of serious websites now “outsource” the account security business to those who are qualified to handle it. We have Facebook Connect, relying on the assumption that Facebook, a site with 400 million users, and a very tempting target for hackers, is able to deal securely with authentication, and we have OpenID, relying on the assumption that users themselves will use a provider that they trust among the countless different ones available.
What these have in common is that they allow you, the company hosting a website and an online service, to provide all the benefits of a personal user account to your users, but without you ever seeing a password, and without you being able to lose quite as much sensitive data when you get hacked. It also provides the convenience benefit of allowing the user (without forcing the user to do so) to reuse the same user ID across multiple sites, and it even offers the potential for exchanging (with the users’ consent, of course) information between different game companies.
And you know what? Steam is an OpenID provider. You could implement OpenID-based authentication, and people would be able to log in with their Steam ID (or their GMail account, or any of the dozens of other OpenID providers, of course), and you wouldn’t have to worry about protecting their passwords.
You could, practically in your lunch break, write a login system which allows GMail users, Steam users and Facebook users to log in using their credentials from those services, handled securely by those services, where you get all the benefit of juicy direct and “exclusive” access to the user, without the headaches of “how do we store the users’ username and password, and without hassling the user with “please come up with a username and password for yet another site.
So, dear games industry. I’m sure that pretty much anyone who has played a game over the last decade has already had his username, password, pet name, address and credit card info leaked by now, thanks to you.
But how about putting a stop to it from now on? How about leaving security to the companies that actually invest in it, and who make it their business? How about, along the way, getting rid of the current account hell where every user has to, for every game, every development studio and every publisher, remember a unique combination of URL (where your “service” is hosted this month, after the latest relaunch, the latest merger or the latest “let’s just start over because our previous system sucked”), and username, password and email address to log in to said URL?
How about making your jobs easier, while also treating your customers better and giving less information away to hackers?
How about growing up and catching up?
A common sentiment when these hacks really exploded this past summer was “these hackers need to be stopped”, but that’s missing the point. They’re only showing how absolutely trivial it is to hack a huge number of websites. Arresting them, torturing them for a few years at Gitmo or condemning them to the deepest pit of Hell doesn’t matter, because your websites are still vulnerable, and in a world of 7 billion people, someone is going to try to exploit it.
Yes, the hackers need to be held accountable, but so do you. You are the ones who chose to start hoarding user information, and you are the ones who didn’t even care enough about your users to do so securely. You are the ones who betrayed your users. You are the ones who failed to live up to the responsibility you wouldn’t even have had if you’d stuck to your actual business: making games, rather than collecting usernames and passwords.
Grow up. Start storing only the data you actually need, and make sure that what you do store is kept absolutely goddamn secure. If you ever even see my password, encrypted, hashed and salted or otherwise, you are doing it wrong.